diff options
| author | Matthieu Gallien <matthieu.gallien@nextcloud.com> | 2022-10-12 19:01:15 +0300 |
|---|---|---|
| committer | allexzander <allexzander@users.noreply.github.com> | 2022-10-17 19:32:15 +0300 |
| commit | c65be6c80bc881202ac8275a5c65d95c4afeba6f (patch) | |
| tree | bdd61405a151e0c8c046a6a9dbd92b7c26559938 | |
| parent | eae8dcf18f8533f5bd0d64fb5a38e7479594f93c (diff) | |
edit locally requires a valid tokenbackport/5039/stable-3.6
check on server that the token received during a request to open a local
file is indeed a valid one
Signed-off-by: Matthieu Gallien <matthieu.gallien@nextcloud.com>
| -rw-r--r-- | src/gui/application.cpp | 11 | ||||
| -rw-r--r-- | src/gui/folderman.cpp | 8 | ||||
| -rw-r--r-- | src/gui/folderman.h | 2 |
3 files changed, 18 insertions, 3 deletions
diff --git a/src/gui/application.cpp b/src/gui/application.cpp index b99bf4a6a..fd5b0c6e6 100644 --- a/src/gui/application.cpp +++ b/src/gui/application.cpp @@ -61,6 +61,7 @@ #include <QMessageBox> #include <QDesktopServices> #include <QGuiApplication> +#include <QUrlQuery> class QSocket; @@ -764,8 +765,16 @@ void Application::handleEditLocally(const QUrl &url) const // for a sample URL "nc://open/admin@nextcloud.lan:8080/Photos/lovely.jpg", QUrl::path would return "admin@nextcloud.lan:8080/Photos/lovely.jpg" const auto accountDisplayName = pathSplit.takeFirst(); const auto fileRemotePath = pathSplit.join('/'); + const auto urlQuery = QUrlQuery{url}; - FolderMan::instance()->editFileLocally(accountDisplayName, fileRemotePath); + auto token = QString{}; + if (urlQuery.hasQueryItem(QStringLiteral("token"))) { + token = urlQuery.queryItemValue(QStringLiteral("token")); + } else { + qCWarning(lcApplication) << "Invalid URL for file local editing: missing token"; + } + + FolderMan::instance()->editFileLocally(accountDisplayName, fileRemotePath, token); } QString substLang(const QString &lang) diff --git a/src/gui/folderman.cpp b/src/gui/folderman.cpp index 97d4514d2..740f92f30 100644 --- a/src/gui/folderman.cpp +++ b/src/gui/folderman.cpp @@ -1422,7 +1422,7 @@ void FolderMan::setDirtyNetworkLimits() } } -void FolderMan::editFileLocally(const QString &accountDisplayName, const QString &relPath) +void FolderMan::editFileLocally(const QString &accountDisplayName, const QString &relPath, const QString &token) { const auto showError = [this](const OCC::AccountStatePtr accountState, const QString &errorMessage, const QString &subject) { if (accountState && accountState->account()) { @@ -1447,6 +1447,12 @@ void FolderMan::editFileLocally(const QString &accountDisplayName, const QString messageBox->raise(); }; + if (token.isEmpty()) { + qCWarning(lcFolderMan) << "Edit locally request is missing a valid token. Impossible to open the file."; + showError({}, tr("Edit locally request is not valid. Opening the file is forbidden."), accountDisplayName); + return; + } + const auto accountFound = AccountManager::instance()->account(accountDisplayName); if (!accountFound) { diff --git a/src/gui/folderman.h b/src/gui/folderman.h index 985fcb50b..584710b4b 100644 --- a/src/gui/folderman.h +++ b/src/gui/folderman.h @@ -214,7 +214,7 @@ public: void setDirtyNetworkLimits(); /** opens a file with default app, if the file is present **/ - void editFileLocally(const QString &accountDisplayName, const QString &relPath); + void editFileLocally(const QString &accountDisplayName, const QString &relPath, const QString &token); signals: /** |